This page describes how to view and implement recommendations about
removing authorized networks for instances that violate the
constraints/sql.restrictAuthorizedNetworks organization policy enforced by your
administrator. This policy violation occurs when authorized networks already exist for an instance at the time of enforcement of the constraint. This recommender is called Remove authorized networks.
Every day, this recommender
proactively detects instances that violate the
constraints/sql.restrictAuthorizedNetworks organization policy and provides insights and recommendations to improve
your instance security. You can view insights and detailed recommendations about these instances by using the Google Cloud console,
gcloud CLI, or the Recommender API.
For more information about organization policies, see Cloud SQL organization policies.
Before you begin
Ensure that you enable the Recommender API.
Required roles and permissions
To get the permissions to view and work with insights and recommendations, ensure that you have the required Identity and Access Management (IAM) roles.
| Tasks | Roles | 
|---|---|
| View recommendations | recommender.cloudsqlViewerorcloudsql.admin. | 
| Apply recommendations | cloudsql.editororcloudsql.admin. | 
List the recommendations
To list the recommendations, follow these steps:
Console
To list recommendations about instance security, follow these steps:
- Go to the Cloud SQL Instances page. 
- View the Issues column in the instance table. 
Alternatively, follow these steps:
- Go to the Active Assist. - For more information, see Exploring recommendations. 
- In the All recommendations card, click Security. 
gcloud
Run the gcloud recommender recommendations list command as follows:
gcloud recommender recommendations list \ --project=PROJECT_ID \ --location=LOCATION \ --recommender=google.cloudsql.instance.SecurityRecommender \ --filter=recommenderSubtype=REMOVE_AUTHORIZED_NETWORKS_TO_MEET_ORG_POLICY
Replace the following:
- PROJECT_ID: Your project ID.
- LOCATION: A region where your instances are located, such as us-central1.
API
Call the recommendations.list method as follows:
GET https://recommender.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION/recommenders/google.cloudsql.instance.SecurityRecommender/recommendations?filter=recommenderSubtype=REMOVE_AUTHORIZED_NETWORKS_TO_MEET_ORG_POLICY
Replace the following:
- PROJECT_ID: Your project ID.
- LOCATION: A region where your instances are located, such as us-central1.
View insights and detailed recommendations
To view insights and detailed recommendations, follow these steps:
Console
After listing the recommendations, click a recommendation. The recommendation panel appears, which contains insights and detailed recommendations.
gcloud
Run the gcloud recommender insights list command as follows:
gcloud recommender insights list \ --project=PROJECT_ID \ --location=LOCATION \ --insight-type=google.cloudsql.instance.SecurityInsight \ --filter=insightSubtype=ORG_POLICY_TO_RESTRICT_AUTHORIZED_NETWORKS_VIOLATED
Replace the following:
- PROJECT_ID: Your project ID.
- LOCATION : A region where your instances are located, such as us-central1.
API
Call the insights.list method as follows:
GET https://recommender.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION/insightTypes/google.cloudsql.instance.SecurityInsight/insights?filter=insightSubtype=ORG_POLICY_TO_RESTRICT_AUTHORIZED_NETWORKS_VIOLATED
Replace the following:
- PROJECT_ID: Your project ID.
- LOCATION: A region where your instances are located, such as us-central1.
Apply the recommendation
Console
To implement the recommendation, do the following:
- Click Manage authorized networks. 
- Configure your clients to use Cloud SQL Auth Proxy and Cloud SQL Language Connectors. 
- Remove the authorized networks on your instance. 
gcloud
To implement the recommendation, do the following:
- Configure your clients to use Cloud SQL Auth Proxy and Cloud SQL Language Connectors. 
- Remove the authorized networks on your instance. 
API
To implement the recommendation, do the following:
- Configure your clients to use Cloud SQL Auth Proxy and Cloud SQL Language Connectors. 
- Remove the authorized networks on your instance. 
What's next
- Authorized networks
- Cloud SQL Auth Proxy
- Cloud SQL Language Connectors
- Google Cloud recommenders
- Blog: Maximize your Cloud ROI